Unrevoke GPG Primary Key
WARNING: This section is about thinkering GPG primary key. It's black magic so you should not do it unless you know what you're doing.
For unknown reasons where you want to remove the revocation from a revoked primary key, this section would guide you through. NOTE that the proper way is to load from backup.
Un-revoke Primary Key
If you regretted revoking a primary key and you haven't distribute the revoked key to any of the key-server, you can un-revoke it. However, if you already distributed the public key out, then un-revoking the key doesn't do much effect aside from recycling the key.
Check Your Revoked Key
First, let's check your revoked key. You should have the following revoked label when you check your key with --list-keys
and --list-secret-keys
arguments.
$ gpg --list-keys
/home/jane/.gnupg/pubring.kbx
---------------------------------
sec rsa4096 2018-09-23 [SC] [revoked: 2018-09-28]
1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid [ revoked] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
$ gpg --list-secret-keys
/home/jane/.gnupg/pubring.kbx
---------------------------------
sec rsa4096 2018-09-23 [SC] [revoked: 2018-09-28]
1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid [ revoked] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
Export Your Public Key
Now export the public key. The command is:
$ gpg --export <key-ID> > revoked.gpg
Here's an example based on the output above:
$ gpg --export 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9 > revoked.gpg
$ ls
revoked.gpg
$
Split The Public Key
Now we split the public key. To do so, we use gpgsplit
command. It will split all the keys and certs into individual files.
$ gpgsplit <public file>
Here's an example based on the output above:
$ gpgsplit revoked.gpg
$ ls
revoked.gpg
000001-006.public_key
000002-002.sig
000003-013.user_id
000004-002.sig
000005-014.public_subkey
000006-002.sig
000007-014.public_subkey
000008-002.sig
$
Look for Revoke Certificate Signature
We should look for signature file (.sig
) that is the revocation certificate. Usually it's 000002-002.sig
. However, just to ensure, we use gpg --list-packets <signature file>
command to verify the contents.
You need to find out that the signature class is at 0x20 (sigclass 0x20). This indicates it is a revocation certificate. Based on the example above:
$ gpg --list-packets 000002-002.sig
# off=0 ctb=89 tag=2 hlen=3 plen=849
:signature packet: algo 1, keyid 9FD86FAAE50BB2F0
version 4, created 1538140913, md5len 0, sigclass 0x20
digest algo 8, begin of digest fb db
hashed subpkt 33 len 21 (issuer fpr v4 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9)
hashed subpkt 2 len 4 (sig created 2018-09-28)
hashed subpkt 29 len 283 (revocation reason 0x01 (Proceed to use the main key with fingerprint DFE3 8497 1163 9287 E4DD 2095 D94C A965 2371 5D12\navailable at various keyservers:\n1. pgp.mit.edu (https://pgp.mit.edu/pks/lookup?op=get&search=0xD94CA96523715D12\x29\n2. pool.sks-keyservers.net\n3. keyring.debian.org\n4. keyserver.ubuntu.com))
subpkt 16 len 8 (issuer key ID 9FD86FAAE50BB2F0)
data: [4092 bits]
Delete the Revocation Certificate Signature
Now that you identified the signature file, delete it. Based on the example above:
$ rm 000002-002.sig
$ ls
revoked.gpg
000001-006.public_key
000003-013.user_id
000004-002.sig
000005-014.public_subkey
000006-002.sig
000007-014.public_subkey
000008-002.sig
$
Assemble the Public Key Back Again
We should reassemble the public key back to one file again. Use cat
to set it back. Example:
$ cat 00000* > myfixedkey.gpg
Expertly Remove the Old Key
Now that we have a clean public key back, we need to delete the existing public key. This is an expert move so you'll need to --expert
argument. Here's the command:
$ gpg --expert --delete-key <key-ID>
Based on the example above:
$ gpg --expert --delete-key 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
You'll be asked for delete confirmation. Proceed with yes (y
).
Import the Fixed Public Key
With the old public key removed, you can now import the fixed public key back.
$ gpg --import myfixedkey.gpg
Verify the Key
Now that everything is done. Verify your key again. You should see it's no longer revoked.
$ gpg --list-keys
/home/jane/.gnupg/pubring.kbx
---------------------------------
pub rsa4096 2018-09-23 [SC]
1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid [ultimate] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
sub rsa4096 2018-09-23 [E]
sub rsa4096 2018-09-23 [E]
sub rsa4096 2018-09-23 [S]
$ gpg --list-secret-keys
/home/jane/.gnupg/pubring.kbx
---------------------------------
sec rsa4096 2018-09-23 [SC]
1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid [ultimate] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
ssb rsa4096 2018-09-23 [E]
ssb rsa4096 2018-09-23 [E]
ssb rsa4096 2018-09-23 [S]
Clean Up
With everything is up and ready, now clean up your workspace.
That's all about un-revoke key in GnuPG.